183d2307dSDag-Erling SmørgravPrivilege separation, or privsep, is method in OpenSSH by which 283d2307dSDag-Erling Smørgravoperations that require root privilege are performed by a separate 383d2307dSDag-Erling Smørgravprivileged monitor process. Its purpose is to prevent privilege 483d2307dSDag-Erling Smørgravescalation by containing corruption to an unprivileged process. 583d2307dSDag-Erling SmørgravMore information is available at: 683d2307dSDag-Erling Smørgrav http://www.citi.umich.edu/u/provos/ssh/privsep.html 783d2307dSDag-Erling Smørgrav 8*19261079SEd MastePrivilege separation is now mandatory. During the pre-authentication 9*19261079SEd Mastephase sshd will chroot(2) to "/var/empty" and change its privileges to the 10*19261079SEd Maste"sshd" user and its primary group. sshd is a pseudo-account that should 11*19261079SEd Mastenot be used by other daemons, and must be locked and should contain a 12ee21a45fSDag-Erling Smørgrav"nologin" or invalid shell. 13ee21a45fSDag-Erling Smørgrav 14ee21a45fSDag-Erling SmørgravYou should do something like the following to prepare the privsep 15ee21a45fSDag-Erling Smørgravpreauth environment: 1683d2307dSDag-Erling Smørgrav 1783d2307dSDag-Erling Smørgrav # mkdir /var/empty 1883d2307dSDag-Erling Smørgrav # chown root:sys /var/empty 1983d2307dSDag-Erling Smørgrav # chmod 755 /var/empty 2083d2307dSDag-Erling Smørgrav # groupadd sshd 21ee21a45fSDag-Erling Smørgrav # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd 2283d2307dSDag-Erling Smørgrav 2383d2307dSDag-Erling Smørgrav/var/empty should not contain any files. 2483d2307dSDag-Erling Smørgrav 2583d2307dSDag-Erling Smørgravconfigure supports the following options to change the default 2683d2307dSDag-Erling Smørgravprivsep user and chroot directory: 2783d2307dSDag-Erling Smørgrav 2883d2307dSDag-Erling Smørgrav --with-privsep-path=xxx Path for privilege separation chroot 2983d2307dSDag-Erling Smørgrav --with-privsep-user=user Specify non-privileged user for privilege separation 3083d2307dSDag-Erling Smørgrav 31043840dfSDag-Erling SmørgravPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 32043840dfSDag-Erling SmørgravHP-UX (including Trusted Mode), Linux, NetBSD and Solaris. 3383d2307dSDag-Erling Smørgrav 3447dd1d1bSDag-Erling SmørgravOn Cygwin, Tru64 Unix and OpenServer only the pre-authentication part 3547dd1d1bSDag-Erling Smørgravof privsep is supported. Post-authentication privsep is disabled 36d74d50a8SDag-Erling Smørgravautomatically (so you won't see the additional process mentioned below). 37d0c8c0bcSDag-Erling Smørgrav 3883d2307dSDag-Erling SmørgravNote that for a normal interactive login with a shell, enabling privsep 3983d2307dSDag-Erling Smørgravwill require 1 additional process per login session. 4083d2307dSDag-Erling Smørgrav 4183d2307dSDag-Erling SmørgravGiven the following process listing (from HP-UX): 4283d2307dSDag-Erling Smørgrav 4383d2307dSDag-Erling Smørgrav UID PID PPID C STIME TTY TIME COMMAND 4483d2307dSDag-Erling Smørgrav root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 4583d2307dSDag-Erling Smørgrav root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] 4683d2307dSDag-Erling Smørgrav stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 4783d2307dSDag-Erling Smørgrav stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash 4883d2307dSDag-Erling Smørgrav 4983d2307dSDag-Erling Smørgravprocess 1005 is the sshd process listening for new connections. 5083d2307dSDag-Erling Smørgravprocess 6917 is the privileged monitor process, 6919 is the user owned 5183d2307dSDag-Erling Smørgravsshd process and 6921 is the shell process. 52